But a majority of U.S. banks appear unprepared to meet the Dec. 31 deadline by which they're supposed to comply with the guidelines, several analysts said this week. They placed much of the blame for the current lack of preparedness on the fact that the guidelines aren't mandatory and leave it up to banks to decide what form of strong authentication they should implement.

"Most banks haven't done much with [the guidelines] because there is still some confusion as to what needs to be done," said George Tubin, an analyst at TowerGroup in Needham, Mass.

That isn't the case at Zions Bancorporation in Salt Lake City. Preston Woods, the company's chief information security officer, said the release of the guidelines last October by the Federal Financial Institutions Examination Council gave a push to a strong authentication initiative that Zions had already started. "It validated what we were doing, and it gave us a deadline," he said.

Earlier this month, the company's Zions Bank unit added a multifactor authentication feature called SecurEntry for users of its online banking services. Woods said SecurEntry is based on technology from RSA Security Inc. and allows Zions to better authenticate users to its Web site and ensure that they know they're connected to a legitimate site.

The technology works by profiling the devices that customers typically use to log into the bank's online systems. Whenever there are changes, such as when a customer logs in from a new location or using a different system, SecurEntry challenges users with specific questions that only they should be able to answer, Woods said. He added that the bank views the process as being minimally disruptive to users.